Firewall Rules Questions

Hi there,

Could any experienced CF\CIS user please help me with the following issues?
The first 2 interest me particularly.

1:
I don’t think so, but is it possible to create this kind of behaviour inside CF ?
Allow TCP and UDP connections (In and Out) on some ports only for certain applications, but at the same time block All other TCP and UDP connections on those ports, when those apps are not involved.

I know the order in which CF processes Inbound and Outbound connections and I supposed
after a lot of trying that this kind of rule is not possible inside comodo.

I’ll detail for some p2p programs.
I want to block all In/Out connections on tcp and upd ports from 1025-65535 (and maybe other small number ports) but at the same time I want my p2p programs ( bitcomet and emule ) to be able to transfer data using TCP and UDP (In/Out) on ANY ports from the range 1025-65535.
Limiting the range of ports used by the p2p prog. would be almost the same thing.

I want this because these p2p programs use aggressive techniques for connecting to other
users, that is, they use more or less random ports each time and use a lot of ports
if many connections are established.
So they use both TCP and UDP and I can’t predict which ports are going to be used, even if you specify certain port inside the p2p application.

The only solution I see is to create a custom profile that is active when using a p2p client - and not be able to block everything, and another more restrictive profile that you apply when not doing any p2p transfer.

2:
If you choose to log certain connections; for ex: “Block all TCP” , comodo firewall captures/logs the transfer from other IPs to other IPs , all different from my IP, i.e. it captures other connections too, not just those that involve my machine.

Wireshark, in default mode doesn’t log/capture transfers between other IPs different form yours.
Is this logical, or normal for a firewall?

3:
Does anyone know why the comodo team implemented the rules checking mechanism this way - creating a list for Applications and a list of General Rules - instead of combining both into one , and parsing the rules (for In and Out traffic) from top to bottom every time ?

4:
What do you thing of this problem I found with some type of overlapping rules, but only when defining a range of IPs, not using the Any IP choice ?
If I create an Allow rule and a Block rule with a smaller range, below the first one, then the corresponding connections are blocked instead of being allowed.
I use CF 3.0.25 .

The rules are:
Allow and Log TCP Out From IP In [ My IP Range ] To IP Any Where Source Port Is Any
And Dest Port Is In [1025-65535]

Block and Log TCP Out From IP In [ My IP Range ] To IP Any Where Source Port Is Any
And Dest Port Is 443

The first one is the on the top of the global rules.
They are just for some test rules, but I think the Allow rule should have priority of the 2 overlapping rules, because is on top.
If I use Any instead of My IP Range the connections are allowed.

5: (Just a thought)
As posted here:
https://forums.comodo.com/frequently-asked-questions-faq-for-comodo-firewall/how-to-understanding-creating-network-control-rules-properly-t1125.0.html the rule using [ “In/Out” when both the destination IP and source IP ranges are not both set to “Any”] doesn’t usually make sense, but can be created inside the firewall.

Thanks.

1: I don't think so, but is it possible to create this kind of behaviour inside CF ?...

A port will only be in ‘open’ when an application or process is using it.

I'll detail for some p2p programs...

Define a specific port in your torrent client and then create application rules that listen on that port. Then create a global rule that allows TCP/UDP in on that port. Once done, you can create another global rule, below the one for your torrent client that blocks everything else IN.

2: If you choose...

There will always be ‘noise’ originating from the Internet. if you have a router it will filter most of this out. if not the firewall will log these events if told to do so.

If I start Wireshark in default mode, I see this traffic when directly connected.

3: Does anyone know...

it’s not uncommon, several other firewall vendors do the same. It’s actually a very good way to do things, although I guess it can be confusing, at first, if you’ve come from something else.

Rules are processed from top to bottom.

4: What do you thing...

The version of the firewall you are using is very old. They are now on version 4.

Global rules should be used for controlling inbound connections. Application rules for outbound connections.

If I understand you correctly, in the first rule you allow ports from 1024 to 65535. In the second rule you block port 443. The first rule has nothing to do with the second, the port range in the first is outside the port in the second.

5: (Just a thought)...

I wouldn’t recommend using IN and OUT in the same rule set, it will get very confusing very fast. Always create separate IN and Out rules with useful names.

Thank you Das for your reply.

4: If I understand you correctly,
Sorry, I wasn't paying attention at the IP range and thought the 2 rules overlapped. s.

I knew that.

Thanks again.